Capture Security Appliance Administration Guide


This Administration Guide provides configuration information for the SonicWall® Capture Security Appliance.

Technical Overview - Capture ATP

To combat evasive and targeted malware, sandbox analysis is required to discover and stop unknown threats. SonicWall Capture Advanced Threat Protection (Capture ATP) is a cloud-based service that provides this type of file analysis.

Traditional network security technology detects known threats but cannot detect advanced threats like custom malware and zero-day exploits. To better detect unknown threats, security professionals are deploying advanced threat detection technologies, such as sandboxes, that analyze the behavior of suspicious files and uncover hidden malware. However, some organizations and agencies cannot send grey-listed files to cloud-based sandboxes for analysis and many on-premises sandboxing technologies are expensive and are prone to evasion tactics.

SonicWall Capture ATP uses a combination of reputation-based checks, static file analysis and SonicWall’s patented Real-Time Deep Memory Inspection™ (RTDMI) engine for dynamic analysis to ensure that it provides not only the best possible detection rate of malicious files, but also does this efficiently, in the shortest possible time. The SonicWall ecosystem of security products, already fully integrated with the cloud-delivered Capture ATP analysis, is able to enforce inline security with features such as Block Until Verdict.

Technical Overview - Capture Security Appliance

The SonicWall Capture Security Appliance™ (CSa) brings Capture ATP and sandboxing malware analysis to on-premises deployment scenarios for customers with compliance and policy restrictions against sending files to cloud analysis, or who prefer that all of their data remain inside their organization. With many attack types only revealing their weaponry within memory, a memory-based approach is required to detect and stop attacks before they reach endpoints. Furthermore, cloud-based sandboxing engines can introduce latency while an on-premise solution can provide better performance.

The SonicWall Capture Security Appliance is an on-premises sandbox for SonicWall next-generation firewalls that enables you to inspect suspicious files within your data center using fast and accurate memory-based analysis to provide a strong layer of defense against advanced and targeted threats.

The Capture Security Appliance can analyze suspicious files coming from other SonicWall products to provide rapid, high accuracy detection of previously unseen threats, while the customer retains custody of their files. Additionally, the REST API functionality on the CSa opens up the benefits of this highly effective file analysis capability to threat intelligence teams, third-party security systems and any software stack that can integrate with published APIs.

To protect against the increasing dangers of unknown, zero-day threats, the Capture Security Appliance detects and optionally blocks unknown threats at the gateway until verdict. Equipped with Real-Time Deep Memory Inspection (RTDMI), the CSa can detect and stop attacks embedded in a wide range of file types by forcing malware to reveal its weaponry into memory.

The same capabilities available with the cloud-based SonicWall Capture ATP are supported when SonicWall firewalls and other products are connected to a Capture Security Appliance.

Capture Security Appliance Key Features

  • Reputation & Global Verdict lookup (configurable)
  • Static analysis & dynamic analysis with RTDMI
  • Broad file type analysis
  • Per-Source Rate Limiting

  • Allow List/Block List on hash/domain
  • Configurable scheduled reporting
  • Logging & alerting
  • Role-based administration (Pre-Configured roles)
  • Management over HTTPS on a dedicated management interface or via the WAN network interface
  • False positive & false negative reporting with automatic whitelist/blacklist
  • Closed Network Operation
  • REST API for device management and for file analysis

  • Hardened OS with Secure Boot and chain of trust for anti-tampering

More details about certain features are provided in the next topics.


SonicWall’s patent-pending Real-Time Deep Memory Inspection (RTDMI) file analysis engine is a novel method of analyzing suspicious files by monitoring the behavior of an application in memory. RTDMI can see through any obfuscation or encryption techniques that modern malware might deploy to evade network and sandbox analysis, yielding extremely high accuracy detection of attacks borne by documents, executables, archive files and a variety of other file types.

Real-Time Protection and Block Until Verdict

The combination of reputation and global intelligence checks, static analysis and RTDMI technology operate in concert to deliver results quickly enough to enable technologies like Block Until Verdict in SonicWall products. This capability allows for a file inspection policy on the firewall to prevent suspicious files from being downloaded by the end-user until the full inspection is completed and a verdict is reached by the Capture Security Appliance.

Broad File Type Analysis

The SonicWall Capture Security Appliance supports analysis for a broad range of file types, including executable programs (PE), DLL, PDFs, MS Office documents, archives, JAR, and APK plus multiple operating systems including Windows, Android, and multi-browser environments. Administrators can customize protection by selecting or excluding files to be sent for analysis, including by file type, file size, sender, recipient and protocol. In addition, administrators can manually submit files to the appliance for analysis.

PDF & MS Office File Detection

The PDF and MS Office capabilities defense against phishing emails containing these files.

The Capture Security Appliance analyzes documents dynamically via proprietary exploit detection technology along with static forms of inspection with the ability to detect many malicious document categories, including:

  • Malicious Flash-based MS Office documents
  • Dynamic Data Exchange (DDE) based exploits and malware inside Office files
  • MS Office and PDF files containing malicious executables
  • PDF documents containing MS Office malware
  • Malevolent shellcode-based files
  • Macro-based malicious files
  • Malicious multi-layer files
  • PDF documents with “JavaScript infectors”
  • JavaScript-based exploits in PDF documents
  • Files leading to phishing and malware hosting websites
  • “Phishing style” malicious PDF documents leading to both phishing and malware hosting websites

Range of Allowed Input Devices

SonicWall firewalls, Email Security systems and a variety of API Connectors are supported.

Reporting, Analysis, Logging and Alerts

The Capture Security Appliance provides reports that detail the analysis results for files sent to the appliance including session information, operating system information and activity, network activity and a copy of the original file (based on privacy settings).

The CSa provides an insight into files submitted from all sources with an easy to navigate dashboard and file analysis history, providing an insight into the frequency, sources, verdicts and other insights around files submitted for analysis.

Reporting capabilities provide a global view into the ATP protection across the organization, with ability to schedule regular reports configured based on different roles.

Log alerts provide notification of suspicious files sent to the CSa and file analysis and verdict results.

User Roles and Administration

Administrators can grant granular access to the CSa to a variety of roles with the ability to restrict access to any part of the CSa web management interface.

Different user roles provide security and flexibility. For example:

  • Security analysts can have access to the scanning history with ability to modify the whitelist/blacklist, allowed devices and report any suspected false positives or false negatives, but cannot make network configuration changes or upgrade firmware.
  • Network-level administrators can be granted access to the operational configuration of the appliance while being restricted, for confidentiality reasons, from seeing the submitted files and their sources.

Deployment Options

SonicWall CSa deployment is quick and straightforward, requiring configuration of basic networking, reporting and allowed device access to get started. For initial setup and information about deployment options, refer to the Capture Security Appliance Getting Started Guide, available on

The CSa is built to be IP-addressable and can therefore be deployed anywhere as long as it is reachable by devices that submit files for analysis.

REST API Gateway

The Capture Security Appliance provides a REST API interface that can be used by API Connectors to submit files for analysis and query results by threat intelligence teams via their own scripts, web-portal integrations and other security products.

Instructions on how to get started with API scripting for the CSa and code samples are available at Details of the management and file submission APIs can be found in the user interface of the appliance.

CSa Hardware Overview

Front PaneL

CSa 1000 front panel


CSa 1000 rear panel

The CSa includes two RAID disks that contain appliance data, as well as internal storage for the OS and maintenance.

The Capture Security Appliance Getting Started Guide also provides hardware information for the CSa.

Console port serial settings: 115200/8/1/N/N

Essential Steps in Configuring the CSa

For details on setting up the CSa, go to and search for:

  • Capture Security Appliance Getting Started Guide

Basic steps for configuring a CSa are summarized below:

  1. Change default password — see Configuring Users
  2. Set up networking (critical, does not operate otherwise) — see Network Configuration
  3. Register & License (critical, does not operate otherwise) — see Registration / Licensing
  4. Update Firmware (highly recommended) — see Firmware Management
  5. Add allowed devices (critical, does not operate otherwise) — see Allowed Devices
  6. Add users and set up roles — see Configuring Users
  7. Set up reporting — see Reporting

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.